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Abstract. In the recent years, several practical methods have been pub- 
lished to compute collisions on some commonly used hash functions. 
Starting from two messages mi and rri2 these methods permit to com- 
pute m'-i and m' 2 similar to the former such that they have the same 
image for a given hash function. In this paper we present a method to 
take into account, at the symbolic level, that an intruder actively attack- 
ing a protocol execution may use these collision algorithms in reasonable 
time during the attack. This decision procedure relies on the reduction 
of constraint solving for an intruder exploiting the collision properties of 
hash functions to constraint solving for an intruder operating on words, 
that is with an associative symbol of concatenation. The decidability of 
the latter is interesting in its own right as it is the first decidability re- 
sult that we are aware of for an intruder system for which unification 
is infinitary, and permits to consider in other contexts an associative 
concatenation of messages instead of their pairing. 



1 Introduction 

Hash junctions. Cryptographic hash functions play a fundamental role in mod- 
ern cryptography. While related to conventional hash functions commonly used 
in non-cryptographic computer applications - in both cases, larger domains are 
mapped to smaller ranges - they have some additional properties. Our focus is 
restricted to cryptographic hash functions (hereafter, simply hash functions), 
and in particular to their use as cryptographic primitive for data integrity, au- 
thentication, key agreement, e-cash and many other cryptographic schemes and 
protocols. Hash functions take a message as input and produce an output re- 
ferred to either as a hash-code, hash-result, or hash-value, or simply hash. 



Collisions. A hash function is many-to-one, implying that the existence of col- 
lisions (pairs of inputs with the identical output) is unavoidable. However, only 
a few years ago, it was intractable to compute collisions on hash functions, so 
they were considered to be collision-free by cryptographers, and protocols were 
built upon this assumption. From the nineties on, several authors have proved 
the tractability of finding pseudo-collision and collision attacks over several hash 
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functions. Taking this into account, we consider that cryptographic hash func- 
tions have the following properties: 

— the input can be of any length, the output has a fixed length, h(x) is relatively 
easy to compute for any given x; 

— pre-image resistance: for essentially all pre-specified outputs, it is computa- 
tionally infeasible to find any input which hashes to that outputs, i.e., to 
find any x such that y = h(x) when given y\ 

— 2nd-pre-image resistance: it is computationally infeasible to find any second 
input which has the same output as any specified input, i.e., given x , to find 
x' different from x such that h(x) = h(x'); 

— hash collision: it is computationally feasible to compute two distinct inputs 
x and x' which hash to the same output, i.c, h(x) = h(x') provided that x 
and x' are created at the same time and independently one of the other. 

In other words, a collision-vulnerable hash function h is one for which an intruder 
can find two different messages x and x' with the same hash value. To mount a 
collision attack, an adversary would typically begin by constructing two messages 
with the same hash where one message appears legitimate or innocuous while the 
other serves the intruder's purposes. For example, consider the following simple 
protocol: 

A -> B : M,a A (M) 

where a A {M) denotes A's digital signature on message M using DAS digital 
signature scheme in which only the hash- value of M by a function h is considered. 
The following attack: 

A -> B : M',a A (M) 

can be launched successfully if the intruder first computes two different messages 
M and M' having the same hash value and then can lead Alice into executing 
the protocol with message M. 

Collisions in practise. MD5 Hash function is one of the most widely used crypto- 
graphic hash functions nowadays. It was designed in 1992 as an improvement on 
MD4, and its security was widely studied since then by several authors. The first 
result was a pseudo-collision for MD5 [5] . When permitting to change the initial- 
isation vector, another attack (free-start collision) has been found [10] . Recently, 
a real collision involving two 1024-bits messages was found with the standard 
value [2"Tj . This first weakness was extended into a differential-like attack [53] 
and tools were developed [1211 1J for finding the collisions which work for any ini- 
tialisation value and which are quicker than methods presented in |21j . Finally, 
other methods have been developed for finding new MD5 collisions |25ll9j . The 
development of collision-finding algorithms is not restricted to MD5 hash func- 
tion. Several methods for MD4 research attack have been developed [2219] . In 
[2"2"] a method to search RIPE-MD collision attacks was also developed, and in 
[3], a collision on SHA-0 has been presented. Finally, Wang et al. have developed 
in [53] another method to search for collisions for the SHA-1 hash function. 



Goal of this paper. This development of methods at the cryptographic level to 
built collisions in a reasonable time have until now not been taken into account 
in a symbolic model of cryptographic protocols. We also note that the inherent 
complexity of these attacks make them not representable in any computational 
model that we are aware of. In this paper we propose a decision procedure to 
decide insecurity of cryptographic protocols when a hash function for which 
collisions may be found is employed. Relying on the result [3] we do not consider 
here other cryptographic primitives such as public key encryption, signature or 
symmetric key encryption, and assume that a protocol execution has already 
been split into the views of the different equational theories. The decidability 
proof presented here heavily relies on a recent result [5] that permits to reduce 
constraint solving problems with respect to a given intruder to constraint solving 
problems for a simpler one. This result relies on a new notion of mode. This 
notion aims at exhibiting a modular structure in an equational theory but has 
no simple intuitive meaning. In the case of an exponential operator as treated 
in [5] the separation was between an exponential symbol and the abelian group 
operations on its exponents, whereas here the separation is introduced between 
the application of the hash function and the functions employed by the intruder 
to find collisions. 

Outline. We first give in Section [2] the definitions relating to terms and equa- 
tional theories. We then present in Section [3] our model of an attacker against a 
protocol, and how we reduce the search for flaws to reachability problems with 
respect to an intruder theory. In Section |4] we describe in detail how we model 
the fact that an intruder may construct colliding messages, and how this intruder 
theory can be decomposed into simpler intruder theories. We give proof sketch 
of these reductions in Section [5] and conclude in Section [6] 

2 Formal setting 
2.1 Basic notions 

We consider an infinite set of free constants C and an infinite set of variables 
X. For any signature Q {i.e. sets of function symbols not in C with arities) we 
denote T(£) (resp. T(£, X)) the set of terms over ?UC (resp. Q U C U X). The 
former is called the set of ground terms over Q, while the latter is simply called 
the set of terms over Q. The arity of a function symbol / is denoted by ar(/). 
Variables are denoted by x, y, terms are denoted by s, t, u, v, and finite sets of 
terms are written E,F,..., and decorations thereof, respectively. We abbreviate 
E U F by E, F, the union E U {t} by E, t and E \ {t} by E \ t. 

Given a signature G, a constant is either a free constant or a function symbol 
of arity in Q. We define the set of atoms Atoms to be the union of X and the set 
of constants. Given a term t we denote by Var(i) the set of variables occurring 
in t and by Cons(i) the set of constants occurring in t. We denote by Atoms(i) 
the set Var(i) U Cons(i). A substitution a is an involutive mapping from X to 
T(Q, X) such that Supp(cr) = {2;|cr(a;) ^ x}, the support of a, is a finite set. The 



application of a substitution a to a term t (resp. a set of terms E) is denoted to~ 
(resp. Ea) and is equal to the term t (resp. E) where all variables x have been 
replaced by the term <j(x). A substitution a is ground w.r.t. Q if the image of 
Supp(cr) is included in T(Q). 

An equational presentation TL — (Q, A) is defined by a set A of equations 
u = v with u,v G T(Q,X) and u, v without free constants. For any equational 
presentation TL the relation =n denotes the equational theory generated by 
(0, A) on T(Q, X), that is the smallest congruence containing all instances of 
axioms of A. Abusively we shall not distinguish between an equational presenta- 
tion TL over a signature Q and a set A of equations presenting it and we denote 
both by TL. We will also often refer to TL as an equational theory (meaning the 
equational theory presented by TL). An equational theory TL is said to be con- 
sistent if two free constants are not equal modulo TL or, equivalcntly, if it has a 
model with more than one element modulo TL. An equational theory TL is said 
to be regular if for all equations u = v G A, we have Var(u) = Var(w). 

For all signature Q that we consider, we assume that <g is a total simplifi- 
cation ordering on T(Q) for which the minimal clement is a free constant c min . 
Unfailing completion permits, given an equational theory TL defined by a set A 
of equations, to build from A a (possibly infinite) set R(A) of equations I = r 
such that the ordered rewriting relation between terms defined by t —>r(a) t' if ; 

— There exists I = r € R(A) and a ground substitution a such that la = s and 
ra = s', t = t[s] and t' = t[s <— s']; 

- We have t' <g t. 

This ordered rewriting relation is convergent, that is for all terms t, all ordered 
rewriting sequences starting from t are finite, and they all have the same limit, 
called the normal form of t. We denote this term (t)l R ^ A y or (t)J, when the 
equational theory considered is clear from the context. In the sequel we denote 
C spe the set consisting of c m j n and of all symbols in Q of arity 0. 

The syntactic subterms of a term t are denoted Sub syn (i) and are defined 
recursively as follows. If t is an atom then Sub syn (i) = {t}. If t = f(t\, . . . ,t„) 
then Sub syn (f) = {t} U U"=i Sub syn (ii). The positions in a term t are sequences 
of integers defined recursively as follows, e being the empty sequence. The term 
t is at position e in t. We also say that e is the root position. We write p < q to 
denote that the position p is a prefix of position q. If u is a syntactic subterm 
of t at position p and if u = f{u\, . . . ,u n ) then Uj is at position p • i in t for 
i G {1, . . . , n}. We write t\ p the subterm of t at position p. We denote t[s] a term 
t that admits s as syntactic subterm. We denote by top(_) the function that 
associates to each term t its root symbol. 

2.2 Mode in an equational theory 

We recall here the notion of mode on a signature, which is defined in [S]. Assume 
TL is an equational theory over a signature Q, and let Q$ be a subset of Q . Assume 
also that the set of variables is partitioned into two sets Xq and X\ . We first define 



a signature function Sign(_) on Q U Atoms in the following way: 



Sign(-) 



QU Atoms -> {0,1,2} 

f if / G So U Ab 

< 1 if / G (g \ So) U ATi 

[ 2 otherwise, i.e. when / is a free constant 



Sign(/) 



The function Sign(_) is extended to terms by taking Sign(t)= Sign(top(i)). 

We also assume that there exists a mode function m(-, •) such that m(f,i) is 
defined for every symbol / G g and every integer i such that 1 < i < ar(/). For 
all valid /, i we have m(/, i) G {0, 1} and m(f,i) < Sign(/). Thus for all / G ft 
and for all i we have m(/, i) = 0. 

Well-moded equational theories. A position different from e in a term t is 
well-moded if it can be written p ■ i (where p is a position and i a nonnegative 
integer) such that Sign(t| p . i ) = m(top(tu), i). In other words the position in 
a term is well-moded if the subterm at that position is of the expected type 
w.r.t. the function symbol immediately above it. A term is well-moded if all its 
non root positions are well-moded. Note in particular that a well-moded term 
docs not contain free constants. If a position of t is not well-moded we say it 
is ill-moded in t. A term is pure if its only ill-moded subterms are atoms. An 
equational presentation TL = (g, A) is well-moded if for all equations u = v in A 
the terms u and v are well-moded and Sign(it)=Sign(i>). One can prove that if 
an equational theory is well-moded then its completion is also well-moded [S]. 

Note that if TL is the union of two equational theories TLq and Tii over two 
disjoint signatures g$ and £7i, the theory TL is well-moded when assigning mode 
i to each argument of each operator g G ft, for i G {0, 1}. 

Subterm values. The notion of mode also permits to define a new subterm 
relation in T(g,X). 

We call a subterm value of a term t a syntactic subterm of t that is cither 
atomic or occurs at an ill-moded position of o We denote Sub(£) the set of sub- 
term values of t. By extension, for a set of terms E, the set Sub(-E) is defined as 
the union of the subterm values of the elements of E. The subset of the maximal 
and strict subterm values of a term t plays an important role in the sequel. We 
call these subterm values the factors of t, and denote this set Factors(t). 

Example 1. Consider two binary symbols / and g with Sign(/) = Sign(g) = 



m(/, 1) = m(g, 1) = 1 and m(/, 2) = m(g, 2) = 0, and t = f(f(g(a, 6), /(c, c)), d). 



Its subterm values are a, b, f(c, c), c, d, and its factors are a, 6, /(c, c) and d. 

In the rest of this paper and unless otherwise indicated, the notion of subterm 
will refer to subterm values. 



1 Note that the root position of a term is always ill-moded. 



Unification systems. We review here properties of well-moded theories with 
respect to unification that are addressed in [5] . Assume H is a well-moded equa- 
tional theory over a signature Q, and let H.q be its projection over the signature 
Go of symbols of signature 0. Let us first define unification systems with ordering 
constraints. 

Definition 1. (Unification systems) Let TL be a set of equational axioms on 
T(Q, X). Ana \= (C a ,E t> ^m, C^, 5). 7Y-unification system S is a finite set of 

couples of terms in T((J, X) denoted by {ui = fi}je{i,...,n}- H * s satisfied by a 
ground substitution a, and we note a \= nS, if for all i 6 {1, . . . , n} we have 
ma =n via. 

Wc will consider only satisfiability of unification systems with ordering con- 
straints. That is, we consider the following decision problem: 

Ordered Unifiability 

Input: A H- unification system S and an ordering -< on the variables X 

and constants C of S. 
Output: Sat iff there exists a substitution a such that a S and for 

all £ € A and c € C, x -< c implies c ^ Sub syn (a;a') 



3 Analysis of reachability properties of cryptographic 
protocols 

We recall in this section the definitions of [1] concerning our model of an intruder 
attacking actively a protocol, and of the simultaneous constraint satisfaction 
problems employed to model a finite execution of a protocol. 

3.1 Intruder deduction systems 

We first give here the general definition of intruder systems, as is given in [J. We 
then give the definition of a well-moded intruder that we will use in this paper. 
In the context of a security protocol (see e.g. [15] for a brief overview), wc model 
messages as ground terms and intruder deduction rules as rewrite rules on sets 
of messages representing the knowledge of an intruder. The intruder derives new 
messages from a given (finite) set of messages by applying intruder rules. Since 
we assume some equational axioms H. arc satisfied by the function symbols in 
the signature, all these derivations have to be considered modulo the equational 
congruence =u generated by these axioms. In our setting an intruder deduction 
rule is specified by a term t in some signature Q . Given values for the variables 
of t the intruder is able to generate the corresponding instance of t. 

Definition 2. An intruder system X is given by a triple {Q,S,H.) where Q is a 
signature, S C T(Q,X) and Ji is a set of equations between terms in T(G, X). 



To each t £ S we associate a deduction rule L : Var(i) — > i and L*' s denotes 
the set of ground instances of the rule L* modulo 7i: 

L*' s = {7 — > r | 3a, ground substitution on Q, I = Var(i)er and r =^ tu} 

TTie set o/ rules Lx is defined as the union of the sets L*' s for all t G S. 

Each rule Z — -> r in Lx defines an intruder deduction relation — >(_> r between 
finite sets of terms. Given two finite sets of terms E and F we define E — >/_» r F 
if and only if I C F and F = E U {r}. We denote ^x the union of the relations 
— >-(_, r for all Z — > r in Lx an d by — the transitive closure of — >j. Note that by 
definition, given sets of terms E, E' ,F and F' such that E =u E' and F =u F' 
we have E — >x f iff E' — >x F'. We simply denote by — > the relation — >x when 
there is no ambiguity about X. 

A derivation D of length n, n > 0, is a sequence of steps of the form Eq — >x 

Eq, t\ ■ ■ ■ ^x E n with finite sets of ground terms Eg, ■ ■ ■ E n , and ground 

terms t%, ... , £„, such that £7j = U {U} for every i 6 {1, . . . , n}. The term 

x 

t n is called the f^oaZ of the derivation. We define E to be equal to the set 
{t | 3F s.t. E -^j F and t £ F} i.e. the set of terms that can be derived from E. 

If there is no ambiguity on the deduction system X we write E instead of E . 
We now define well-moded intruder systems and their properties. 

Definition 3. Given a well-moded equational theory "H, an intruder system X = 
(Q,S,7i) is well-moded if all terms in S are well-moded. 

3.2 Simultaneous constraint satisfaction problems 

We introduce now the constraint systems to be solved for checking protocols. It is 
presented in [4] how these constraint systems permit to express the reachability 
of a state in a protocol execution. 

Definition 4. (Constraint systems) Let X = (Q,S,H) be an intruder system. 
An X-Constraint system C is denoted: {{Ei > Wi)ig{i r ..,«}> S) and it is defined 
by a sequence of couples (-Bj, n -j with V{ <E X and Ej C T(Q,X) for 

i G {1, . . . , n}, and -E^—i C Ei for i G {2, . . . , n} and by an TL-unification system 
S. 

An 2~-Constraint system C is satisfied by a ground substitution a if for all 
i G {1, . . . , n} we have Via G Eia and if a |=^ S. If a ground substitution a 
satisfies a constraint system C we denote it by a |=x C . 

Constraint systems are denoted by C and decorations thereof. Note that if a 
substitution a is a solution of a constraint system C, by definition of constraint 
and unification systems the substitution (er)j is also a solution of C. In the context 
of cryptographic protocols the inclusion Ei—i C Ei means that the knowledge 
of an intruder does not decrease as the protocol progresses: after receiving a 
message a honest agent will respond to it. This response can be added to the 
knowledge of an intruder who listens to all communications. 



We are not interested in general constraint systems but only in those related 
to protocols. In particular we need to express that a message to be sent at some 
step i should be built from previously received messages recorded in the variables 
Vj,j < i, and from the initial knowledge. To this end we define: 

Definition 5. (Deterministic Constraint Systems) We say that an X- constraint 
system {{Ei > u^igxi,. ..,„}, S) is deterministic if for all i in {1, ... ,n} we have 
Var(Bi) C {ui, . . . 

In order to be able to combine solutions of constraints for the intruder theory 
X with solutions of constraint systems for intruders defined on a disjoint signature 
we have, as for unification, to introduce some ordering constraints to be satisfied 
by the solution (see [4] for details on this construction) . Intuitively, these ordering 
constraints prevent from introducing cycle when building a global solution. This 
motivates us to define the Ordered Satisfiability problem: 

Ordered Satisfiability 

Input: an T-constraint system C, X = Var(C), C = Const(C) and a 

linear ordering -< on X U C . 
Output: Sat iff there exists a substitution a such that a \=j C and 

for all x £ X and c £ C ', x -< c implies c ^ Sub syn (:E<7) 



4 Model of a collision-aware intruder 

Wc define in this section intruder systems to model the way an active intruder 
may deliberately create collisions for the application of hash functions. Note 
that our model doesn't take into account the time for finding collisions, which 
is significantly greater than the time necessary for other operations. The results 
that we can obtain can therefore be seen as worst-case results, and should be 
assessed with respect to the possible time deadline in the actual specification 
of a protocol under analysis. Further works will also be concerned with the fact 
that given a bound on intruder's deduction capabilities, a collision may be found 
only with a probability p, < p < 1. 

Wc consider in this paper five different intruder models. We will reduce in 
two steps the most complex one to a simpler one, relying on the notion of wcll- 
moded theories and on the results in [5]. We then prove decidability of ordered 
reachability for this simpler intruder system. 

4.1 Intruder on words 

We first define our goal intruder, that is an intruder only able to concatenate 
messages and extract prefixes and suffixes. Wc denote X Al] = (Tau,Sau-,£au) 
an intruder system that operates on words, such that, if _• _ denotes the concate- 
nation and e denotes the empty word, the intruder has at its disposal all ground 



instances of the following deduction rules: 

x,y^x-y 
x ■ y —y x 
x-y^y 

— > € 

We moreover assume that the concatenation and empty word operations satisfy 
the following equations: 

(x-(y-z) = (x-y)-z 

x ■ e = x e ■ x = x 

Given these definitions, we can see terms over T(^ 7 AU , X) as words over the 
alphabet X U C, and we denote letters(u;) the set of atoms (either variable or 
free constants) occurring in w. As usual, we extend letters(_) to set of terms in 
T(J r A u, X) by taking the union of letters occurring in each term. 

Pitfall. Notice that this intruder model does not fit into the intruder systems 
definition of [415] . The rationale for this is that, in the notation given here, 
the application of the rules is non-deterministic, and thus cannot be modelled 
easily into our "deduction by normalisation" model. We however believe that 
a deterministic and still associative model of message concatenation by means 
of an "element" unary operator, associative operator "•" , and Head and Tail 
operations may be introduced. This means that we also assume that unification 
problems arc only among words of this underlying theory, disregarding equations 
that may involve these extra operators. Another direction would be to extend 
the current definition of intruder systems to take these deductions directly into 
account. We leave the exact soundness of our model for further analysis and 
concentrate on the treatment of collisions discovery for hash functions. 

4.2 Intruder on words with free function symbols 

We extend the T AV intruder with two free function symbols g and f. We first 
define an intruder able to compose messages using a free function symbol g of 
arity 4. We denote X g = {{g}, {g(xi, x 2 , yi, y 2 )}, 0) this intruder. It has at its 
disposal all ground instances of the following rule: 

xi,x 2 ,yi,y2 -> S(xi,x 2> yi,y2) 

We define a similar intruder with function symbol f. We denote X t = 
({f}, {f(xi, X2, yi, J/2)}, 0} this intruder which has at its disposal all ground in- 
stances of the following rule: 

xi,x 2 ,yi,ij2 f(xi,x 2 ,2/i,y 2 ) 

Finally, we define I froo intruder as the disjoint union of T AU , X t and T s , and we 
have: 



2f r cc = (-^au U {g, f}, S AU U {f(xi,x 2 ,yi,2/ 2 ),g(a:i,X2,yi,2/2)},fAu) 



4.3 Hash-colliding intruder 



We consider a signature modelling the following different operations: 

— The concatenation of two messages, the extraction of a suffix or a prefix of 
a concatenated message and the production of an empty message, as in the 
case of the X AU intruder system; 

— The application of a hash function h for which it is possible to find collisions, 
the hash- value of a message m denoted h(m) ; 

— Two function symbols f and g denoting the (complex) algorithm being used 
to find collisions starting from two different messages m and m' . 

We assume that the algorithm employed by the intruder to find collisions 
starting from two messages m and m! proceeds as follows: 

1. First the intruder splits both messages into two parts, thus choosing 
mi, m2, tti-i, m 2 such that m = mi ■ 777,2 and m' = ■ m 2 ; 

2. Then, in order to find collisions, the intruder computes two messages 
§(7771,7772,777^,777,2) and f(mi, 77i2, 777i, 777 2 ) such that: 

(HC) h(mi • g(mi,m2 7 m' 1 ,m' 2 ) -7772) = h(m' 1 • {(mi, TO2, m'i, m' 2 ) ■ m' 2 ) 

A consequence of our model is that in order to build collisions starting from 
two messages 777 and m! the intruder must know (i.e. have in its knowledge set) 
these two messages. A side effect is that it is not possible to build three (or 
more) different messages with the same hash value by iterating the research for 
collisions. Formally, the core of the proof of this assertion is lemma [5J 

In a more comprehensive model we might moreover want to model that col- 
lisions cannot always be found using attacks published in the literature, but 
instead that given a deadline, the probability p of success of an attack is strictly 
below 1. This would imply that the application of this rule by the intruder 
would, assuming independence of collision attacks, reduce the likelihood of the 
symbolic attack found. In this setting our model would account for attacks with 
a non-negligible probability of success as is shown in [2] . 

Leaving probabilities aside, we express intruder's deductions in our setting 
by adding the rule x — > h(x) to the deduction rules of the X froc intruder. As a 
consequence, the previous description of the X froo intruder enables us to model a 
collision-capable intruder 



For the following mode and signature functions the theory £ AU U {(HC)} is 
a well-modcd theory. 




with: 



•Fau U {f , g, h} 

S AU U {{(xi,X2,yi,y2),S(xi,X2,yi,y2),h( x )} 
S AV U {(HC)} 



mode: 
Signature: 



m(-, 1) = m(-, 2) = m(g , i) = m(f , i) = Vi G {1, . . . ,4} 
m(h,l) = 

/ Sign(-) = Sign(e) - Sign(f ) - Sign(g) = 
\Sign(h) = l 



Notice that in this case, every well-moded syntactic subterm of a term t is of 
signature 0, and that every ill-moded strict syntactic subterm is of signature 1 
(lemma [3]). The main result of this paper is the following decidability result. 

Theorem 1 Ordered satisfiability for the X h intruder is decidable. 



The rest of this paper is dedi- T 
cated to the proof of this theorem. The 
technique employed consists in suc- 
cessive reductions to simpler problems 
and in finally proving that all simpler 
problems are decidable. These reduc- 
tions are summarised in Figure 1. A 
proof for the decidability of the X s , I t 
and X AU is given in Section 15.21 Algo- 
rithm 1. that permits the first reduc- 
tion, is based on the facts that the X h intruder is well-moded (as seen above) and 
that we can apply a reduction according to the criterion of [5] for well-moded 
intruder systems. 



Algorithm 1 
t 

Generic combination alg^orithm [3] 

J T T 

Fig. 1. Reduction strategy 



CRITERION: If E E, r E, r, t and r i Sub(£:, t) UC spe then there 



is a set of terms F such that E — >J F 



If a well-moded intruder system system satisfies this criterion, then the fol- 
lowing proposition holds. It is a cornerstone for the proof of completeness of 
Algorithm 1. 

Proposition 1. LetX be a well-moded intruder that satisfies the criterion, and 
let C be a deterministic X- constraint system. If C is satisfiable, there exists a 
substitution a such that a \=x C and: 



{t G Sub((Sub(C)ff)!)|Sign(t) = 1} C {(ta)[\ (t e Sub(C) and Sign(t) = 1) or t G X} 



5 Decidability of reachability 

We present here a decision procedure for Ordered Satisfiability Problem for X h 
intruder system. Our technique consists in simplifying the intruder system X h 
to T froo . We then reduce the decidability problems of ordered reachability for 
deterministic constraint problems for X froo to the decidability problems of ordered 
reachability for deterministic constraint problems for I g , X t and X AV . We finally 
prove the decidability for these intruder systems. 



5.1 Reduction to X froc -intruder 



Algorithm We present here a procedure for reducing I h intruder system to 
X free intruder system that takes as input a deterministic constraint system C 
= ((£^>t>i)i£{i,....n}? S) and a linear ordering -<j on atoms of C. Let m = |Sub(C) 
be the number of subterms in C. 

Algorithm 1 

Step 1. Choose a number k < m and add k equations hj = h(cj) to S where the 

hj,Cj are new variables. 
Step 2. For each t G Sub(C) U {c%, . . . , c^-} choose a type 0, 1 or 2. If t is of type 1, 

choose j t G {1, . . . , k} and add an equation t = hj t to S. 

Step 3. For all t, t' G Sub(C), if there exists h G {hi, . . . , hk} such that t = h and 
? ? 
t = h are in 5, add to S an equation t = t to S. 

Step 4- Choose a subset H of {ci, . . . , Ck} U {/ii, . . . , /ifc} and guess a total order <d 

on L = H U . . . , v n } such that <d Vj iff i < j. Write the obtained 

list w\, . . . ,w\. Let 5' be the unification system obtained so far, and form: 

C = ({F l >w l ) 1 ^ l ,S') with: 

Fi = Ei 

F i+ i = F i U(E j+ i\E j ) iiw i =v j 
Fi + i = Fi,Wi Otherwise 

Step 5. For all t G Sub(C) chosen of type 1, replace all occurrences of t in the Fi and 
all occurrences of t as a strict subterm in S 1 by the representant of its class 
hj t . Let F[ be the set Fi once this abstraction has been applied 

Step 6. Non-deterministically reduce 5' to a unification system 5" free of h symbols, 
and form the satisfiablc X trcc constraint system: 

c" = m>wi) x <i<i,s") 



Sketch of the completeness proof. Assume that the initial deterministic con- 
straint system is satisfiable. By Proposition [TJ there exists a bound substitution 
a satisfying C. 

— Let the number k chosen at Step 1 be the number of subterms whose top 
symbol is h in Sub((Sub(C)er)j). The hj represent the different values of the 
terms of signature 1. In the sequel we assume that a is extended to the hj 
such that all hja have a different value and are of signature 1. 

— In Step 2, if Sign((£cr)j) = 1 we choose the j such that (icr)j = hjcr and add 
the corresponding equation to 5. 

— In Step 3, we add equations between terms whose normal form by cr are 
equals in order to simplify the reduction to X frea . 

— Step 4 is slightly more intricate. It relies on the fact that a rule in Si may 
only yield a term whose normal form by a is of signature 1. 



The subset H correspond to the subterms of signature 1 of Sub((Sub(Ccr))|) 
that are deduced by the intruder using a rule in S\. We then anticipate 
the construction of hi<j with the application of a rule in 1S1 by requiring 
that the corresponding Cicr has to be build just before (lemma IT!?)) . Given 
the bound on k, this means that all remaining deductions performed by the 
intruder are now instances of rules in Sq. Since C is satisfied by a there 
exists a choice corresponding to quasi well-formed derivations such that all 
remaining reachability constraints are satisfiablc by instances of rules in Sq- 

— At Step 5 we "purify" almost all the constraint system by removing all 
occurrences of a symbol h but the ones that are on the top of an equality. 
By the choice of the equivalence classes it is clear that this purification does 
not loose the satisfiability by the substitution a. 

— The non-deterministic reduction is performed by guessing whether the equal- 
ity of two hashes is the consequence of a collision set up by the intruder or 
of the equality of the hashed messages, and will produce a constraint system 
C" without h symbol and also satisfiable by a (lemma [5]) . 

Justification. We now justify the completeness of the algorithm with the follow- 
ing lemmas. 

Lemma 1. Let R(£ h ) be the completion of £ h intruder theory, and let I = r G 
R(£ h ). IfleX then I G Var(r). 

Proof. Let I = r € R(£h)- and suppose that I G X and I ^ Var(r). Let t\ and 
ti be two different terms in T(J 7 h , X) and let o~\ and 02 be two substitutions 
such that o-i(l) = ti, 0-2(1) = t 2 and a\(r) = 02 (r). Then, ti =£ h f 2 - We deduce 
that if I G X and I ^ Var(r) for a rule I = r G R(£ h ), all terms in T(!F h , X) are 
equals modulo £ h which is impossible. Then for any rule I = r G R{£ h ), if I G X, 
we have I G Var(r). □ 

Lemma 2. Let t and t' be two terms in T(J 7 h , X). lft — >;_+ r t' and l-tre Lj h 
then I X. 

PROOF, see proof in [4]. □ 
Lemma 3. Let t G T(J- h ,X), we have: 

- Iff G Sub syn (t) and Sign(t') = 1 then t' G Sub(t); 

- J/Sign(t) = 1 then Sign((t)|) = 1. 

PROOF. 1) Let t G T(T h ,X) and t' G Sub syn (t) such that Sign(t') = 1, let us 
prove that t' G Sub(t). Since t' G Sub syn (t), we have two cases: 

- t' = t, then t' G Sub(t). 

— t' is a strict syntactic subterm of t, then there exists an integer p > 0, an 
integer i > 1 such that t\ p i = t'. We have Sign(t| p A ) = 1 and by definition 
of T h theory, m(top(t| p ), i) = then m(top(ii p ), i) ^ Sign(ti p mi ). Thus t' is in 
ill-moded position in t, which implies that t' G Sub(i). 



2) Let t be a ground term in T(JF h ) such that Sign(t) = 1. We have a fi- 
nite sequence of rewritings starting from t leading to t —>R(£ b ) •■■ -^R(e h ) 
U -*R(e h ) ->fl(£h) ■■■ ^fl(fh) (*)-!•• Suppose that Sign(^) = 1, and let us 
prove that Sign(ij+i) = 1. Let I = r be the rule applied in the step i. By defi- 
nition of rewriting, there exists a ground substitution a, a position p such that 
tjip = la, t i+ i = tj [p <— ra} and icr > ra. We have two cases: 

— If p ^ e, then top(i; + i) = top(fj) and thus by Sign(fj) = 1. We have 
Sign(^+i) = 1. 

— If p = s, then ti = la. Since Sign(Zcr) = 1 and la is ground, we have top(Zcr) = 
h- Since la > ra and by lemma [1] we have I £ X, and thus I = h(/') for 
some I' £ T(!F b ,X). Since R(£ h ) is well-moded and Sign(Z) = 1, wc have 
Sign(r) = 1. Wc have three cases: 

• r is a non-free constant. Since the only non-free constant in £ h theory is 
e and Sign(e) = 0, this case is impossible. 

• r is a variable. By lemma[TJ we have r £ Var(Z), and thus r £ Sub syn (0- 
Since I is well-moded in £ h theory, we haven Sign(r) = 0, which contra- 
dicts Sign(i) = Sign(r). 

• r = h(r') for r' £ T(.F h , X). This implies that we have ra = h(r'cr), and 
therefor Sign(rer) = 1 = Sign(fj+i). 

For all i £ {1, . . . , n — 1}, we have Sign(i,) = 1 implies Sign(tj+i) = 1, which 
proves the second point of the lemma. □ 

Lemma 4. Assume E and F are in normal form. If E — >s F and t £ Sub(.F) \ 
{Sub(.E) (J C S pc}, Then F \ E = t and E -^l u F , with u £ S and Sign(w) = 
Sign(t). 

Proof, sec proof in [5]. □ 

Lemma 5. Let A and R{A) be an equational theory and its completion respec- 
tively. If A is regular then R(A) is regular to. 

Proof. Let A be a regular equational theory, that is for all I = r £ A we have 
Var(i) = Var(r). Let I = r and g = d be two rules such that Var(7) = Var(r) 
and Var(g) = Var(d). Suppose that there exists a principal unifier a of g and a 
non- variable subterm l\ p of /. Let us prove that the derived rule obtained by the 
completion algorithm ra = la[p da] preserves variables. We have Var(7<r) = 
(Var(io-) \ Vax(la\p)) U Vax(ga) and V&r(la[p <- da}) = Var(Zcr) \ Yai{la\ p ) U 
Var(der), and since Var(g) = Var(cZ), then we have Var(ier[p <— da}) = Var(Zer) = 
Var(rcr). This concludes the proof of the lemma. □ 

Lemma 6. Lett £ T(.F h ) with all its factors in normal form. We have: Sub(f)\ 
{e,t}CSub((t)|). 

Proof. Let t £ T(.F h ). There exists a finite sequence of rewritings starting from 
t leading to t -^ R{£h ) ■■■ -> R ( £h ) U -^ R { £h ) U+i ~*R(e h ) ■■■ -^R(S h ) (*)!■ Let 
us prove the lemma by contradiction and assume that u £ Sub(£,) \ {e, U} and 
u Sub(ti + i). Since u £ Sub(ij) \ {e, i^}, there exists an integer q > 1 such that 
ti\ q — u. Let I = I' be the rule applied on ti. There exists an integer p > 0, a 
ground substitution a such that U\ p = la and ti+i = U [p <— I'a] with la > I' a. 



— If u ^ Sub(^a) then u G Sub(ii + i). 

— If u G Sub(Zcr), by the fact that I is well-moded, u is in normal form and 
a/e, there exists x G Var(7) such that it G Sub^er). Since Var(Z) = Var(i'), 
we have u G Sub(i,; + i). 

In the two cases, we lead to a contradiction with u ^ Sub(ij+i). This concludes 
the proof of the lemma. □ 

Lemma 7. The intruder system T h satisfies CRITERION. 

Proof. Let E be a set of terms in normal forms satisfying the following deriva- 
tion: E — >s E, r — >s-i E,r,t such that r ^ Sub(.E,t) U C spc . In order to prove 
that there exists a set of terms F such that E —*% F —*Si F, t, it suffices to 
prove that E — ^ E,t. We have E — >$ 1 E,r and the only Si rule is x — > h(a;)- 
By definition, there exists a normal ground substitution a such that xa E E 
and r = (h(aj(r))J,. Since Sign(h(x<r)) = 1 by lemma [3j we have Sign(r) = 1. 
Since E, r — >5 X E, r, t, there exists a normal ground substitution a' such that 
xa' G E,r and i = (h(xa'))i . If xer' = r, we have i = (h(r))j,. h(r) is in normal 
form, since all its factors are in normal form and r G Sub(h(r)) \ {h{r),e}, by 
lemma [6] r G Sub(t), which contradicts the hypothesis r ^ Sub(E,t) U C spe . By 
contradiction, we have xa' G E and thus E —>s ± E, t. □ 

In the following lemma, t =1 HC t' denotes that there exists a one step rewrit- 
ing between t and t' using (HC) rule. 

Lemma 8. Let to,t,t' G T(J- h ,X) such that to =£ AU t =^ HC t' and to = h(ii • 
{(t 1 ,t 2 ,t 3 ,t i ) ■ t 2 ). We have: t' = Sav h(t 3 ■ E(h, t 2 , t 3 , t 4 ) ■ f 4 ). 

Proof. Let h(mrf / g(mi, m 2 , m 3 , m 4 )-m 2 ) = h(m 3 - g / f (mi, m 2 , m 3 , m 4 )-m 4 ) 
be the ground instance of (HC) used between t and t' . Let us prove that mi =e AU 
tj. If mi ^Eav we have either mi is a prefix modulo £ AV of ii or £i is a prefix 
modulo £ AV of mi. Let us review these two cases: 

— mi is a prefix modulo £ AV of t\: then ii = mi ■ x and x ^=£ AU e, 
then f / g(mi, m 2 , m 3 , m 4 ) G Sub syn (ii), then m 2 G Sub syn (ii). And we 
have m 2 = y ■ t% with y ^£ AD e, then f i 2 , t 3 , t 4 ) G Sub syn (m 2 ) then 
ti G Sub syn (m 2 ). We conclude that ti is a strict subterm of m 2 and m 2 is a 
strict subterm of ti which is impossible. 

— ti is a prefix modulo £ AU of mi: by reasoning as above on t 2 which is a suffix 
of m 2 , we can also prove that this case is impossible. 

Thus we have mi =s AU ti, and thus f / g(mi, m 2 , m 3 , m 4 ) =£ AU f(*i, *2, *3, *4), 
that is mi = £ad U for i G {1,2,3,4} and t' = £au h(i 3 ■ g(*i, t 2 , h, U) • t 4 ). □ 

In the following lemma, t =\ t' denotes that there exists a finite sequence of 
rewritings between t and t' using £ AV rules and where (HC) rule is used exactly 
one time. 



Lemma 9. Let h{m), h(m') be two pure terms and a be ground substitution such 
that a \=£ h h(m) = h(m'). Then either: 

\<j he A u m = ™>' 

\ a Nau { m = x i ■ S(xx,x 2 ,y 1 ,y 2 ) ■ x 2 ,m' = y 1 ■ f(xi,x 2 , 3/1,2/2) ■ 1/2} 

with x±,x 2 ,yi,y 2 new variables (modulo the commutativity of =). 

Proof. Let mi, 1712,1113 G T(£ h ,X) such that h(mi) = X HC h(m,2) =hc h(wi3). 
If mi =£ AU t\ ■ i(t\,ti,t-z, £4) • t 2 then, by lemma [5] we have 

m 2 =£ AU t 3 ■ K(tx,t 2 , t 3 ,ti) ■ t A 

m 3 =£au *1 ' f(*l)*2)*3j £4) ' *2 

Let if? TO1 = {m\ h(m) =e h h(Tni)} then, by lemma [5] we have S mi = 
{m\ m =e AU mi} U {m\ m = £au i 3 • S(h,h, h, U) -U}- 

We have tr |=£ h h(m) = h(m') that is h(mer) =£ h h{m'a), and thus m'a G S mrT 

which implies that either ma =£ AU m'a and then a \=s AV m = m' or ma =£ AU 
xia ■ i(xia,x 2 a,yia,y 2 a) ■ x 2 a and m'a = £au y x a ■ g{x 1 a,x 2 a 1 yia,y 2 a) ■ y 2 a 

and then a ^ £au jm = Xi • g(xi, x 2 , 2/1, 2/2) • x 2 ,m' = y\ ■ i(xx,x 2 ,yx,y 2 ) ■ 2/2}. 

□ 

In the following lemma, we use I frco intruder with Sign(e) = Sign(-) = 0, 
Sign(f) = Sign(g) = 1 and the notion of subterms values is defined as in [?]. 

Lemma 10. Let E be a set of terms in normal form. If E — >J f(^l) t 2 , t'i, t 2 ) 
and f(t±,t 2 , t'i,t' 2 ) £ Sub syn (E) then E — >J o tx,t 2 , t'^t^. 

Proof. We have E — >J {(ti,t2,t' 1 ,t' 2 ) that is, there exists a finite sequence 
of rcwritings starting from E leading to f(ti, t 2 , ti, t' 2 ): E —>s E\ —>s 
... -y So En-x -^s En-ui(ti,t 2 ,t' x ,t 2 ). By hypothesis, we have f(ii, t 2 , t[, t' 2 ) G 
Sub(£'„) \ (Sub(-E) U C spo ). Let Ei be the smallest set in the derivation such 
that {(ti,t 2 ,t[,t' 2 ) e Sub(^) \ (Sub(Ei_i) U C spo ) [i > 1]. By lemma H the 
rule applied in the step i of derivation is either xi , x 2 , 2/1 , 2/2 — ► §(xi, x 2 , 2/1, 2/2) 
or Xi,x 2 ,yi,y 2 -» f(xi, x 2 ,yi,y 2 ) and in our case it is Xi, x 2 , 2/1, 2/ 2 -> 
f (xi, X2, 2/1, 2/2)- By definition, there exists a normal ground substitution a such 
that ti = xia and t\ — yia for i £ {1, 2} and ti,t2,t' 1 ,t' 2 G We deduce that 

^<S n *1 ' *2 , i'i , *2 ■ ^ 

Lemma 11. Let C be a deterministic constraint system of the form ((Ei t> 
i>i) ie {i n y,S) such that no term appearing in C has the form f(ii, t 2 , t%, t^) 

or g(ti, t 2 , £3, £4) for some t\, . . . , t^,, and let (h(m{) = h(m2)) G S . Let a be a 
ground substitution which satisfies C. For all i G {1, . . . , n}, we have: 

a \= (Ei t> so mi) iff a\= (E. t > s m 2 ) 



Proof. By symmetry, it suffices to prove that if a |= (Ei > s m i) then a \= 
(Ei > s m 2 ). Since a \=s h (ft(roi) = h(rri2)), by lemma[5]we have two cases: 

— If a \=s AV mi = m 2 then the result is obvious. 

- If c he A u yn = xi ■ g(xi,x 2 , yi,y 2 ) ■ x 2 ,m' = y x ■ f(xi, x 2 ,yi,y2) • y 2 \ 
then 

f micr = £au .Tier • f(xicr, X 2 <7, J/iCT, 2/20") ■ x 2 a 
\ m 2 a = £au y x o ■ g(xia, x 2 a, yio, y 2 a) ■ y 2 cr 

Since a \= {Ei > s mi), we nave (^c)! — >s 
(xicr • f(xicr,x 2 cr,j/iCT,y 2 o') • x 2 cr)l and thus, (L^o-)! -^* So (xi<r)l ■ 
t((xi<r)l,(x2<r)l,(yi<r)l,(y2<r)l) ■ (x 2 o-)[ which implies that ->J o 
(xicr)|, (x 2 cr)|,f((a;icr)|, (x 2 o-)J., (j/nx)!, (y 2 o")|). 

Since (E t a)i ->1j o f((xicr)4, (x 2 cr)i, (yicr)l, (y 2 cr)l), we have two cases: 

• i((xi(r)l,(x 2 a)i,(y 1 a)l,(y2(T)i) g Sub syn ((£ , i cr)|), by lemma [10] we 
have {Eiu)i ->* Sq (xicr)|, (x 2 (t)1, (yi<r)|, (y 2 a)l and thus (Eia)[ ->£ 
g((xicr)|, (x 2 cr)|, {yicr)i, (y 2 a)l) which implies that {E l a)i ->1j o (yicr)J. • 
g((xicr)|, (x 2 er)|, (yi<r)|, (2/ 2 cr)|) ■ (j/2cr)|. We conclude that <r |= (JEj > 

S m 2)- 

• f((xia)J., (x 2 cr)J,, (yicr)|, (y 2 o-)i) e Sub syn ((^CT)i), there exists 

£ Var(E'i) such that f(xi(X, x 2 a, y\o, y 2 cr) G Subsyn^o"), 
with j < i and a \= (Ej t> s a Vj). Let I be the smallest inte- 
ger such that (Eio)i -+* Sq f((xio-)|, (x 2 <t)J., (yio-)|, (y 2 (r)i) and 
f((^i^)l,(^2^)l,(yi^)l,(2/2CT)l) £ Sub syn ((^,T)I). By lemma Q3B 
we have (E t a)i ->1j o (xi<x)l, (x 2 o-)i, (yi<x)l, (y 2 o)l and thus 
(Ei&)i ~+* So (xia)i, (x 2 cr)|, (yi<r)l, {y 2 cr)i which implies that 
(E t a)l ->J o g((xicr)|, (.t 2 ct)|, (yia)l, (y 2 cr)l). We conclude that 

(7 |= (Ei > s TO 2 )- 

□ 

Lemma 12. Let C = ((Ei >i>i)ie{i, ...,«} 5 >5) ^ e a deterministic constraint system 
such that no term appearing in C has the form f(ti,t 2 ,£3,£4) or g(ii, i 2) £3, £4) 

/or some ii,...,i4 and Vj = h(ni) S 5. Let a be a ground substitution such 
that a |= C and /or all E l> v <E C , there exists a derivation starting from (Ea)[ 
leading to (vo~)[ where all steps use So rules except possibly the last one which 
may uses Si rule. We have either a \= ((E\ t> v\, . . . , E 3 ■ t> s Vj, ■ ■ ■ , E n > v n ),S) 

or a \= ((Ei t> vi, . . . , Ej t> s v' 3 ■, . . . , E„ > v„),S') where S' = S U = mj-. 

Proof. Let C = ((Sj > ..,„}, 5), = h(m) e 5 and a be a ground 

substitution such that a \= C. We have a |= (Ej t> u 3 -) and WjO" =s h h(mcr), that 
is there exists a finite sequence of rewritings starting from (Eja)l leading to 
(h(ma))i where all steps in the derivation use So rules except possibly the last 
one which may uses Si rule. We have two cases: 



— If all used rules are of type So then a \= Ej > s h.{m) and thus, a \= 
((.Ei > i>i, . . . , Ej > s u,', ...,E n \> v n ), S). 

— If the last used rule is of type Si then {Ejd){ — F, (£cr)j — >Si 
F,(ta)i,(h((t<7)l))i with (h((tcr)i))| = (h(mcr))| and thus, we have two 

cases for the equation Vj = h(m), If a \=z KV t = m then tr |= Ej > 5 m 
and thus we have ct |= {{Ei t> V\, . . . , Ej > s «j-, . . . , E n > u„), <S') where 

S' = Su{t)J =m}. 

Else, the hypothesis of this lemma (no term appearing in C has the form 
f(ti, £2, £3, £4) or g(ti, t2, £3, £4) for some £1, . . . , £4) permits to apply lemmafTTI 
which implies that er |= Ej > s m, and thus, a |= > Vi,...,Ej t> 

So ^ , ...,£■„ O v n ),S') where 5' = 5 U jt^ = m|. 

□ 



5.2 Decidability of reachability for the X flcc -intruder 

We first reduce the X fro( , intruder system to simpler intruder systems using the 
combination result of |J. We will consider the decidability of these subsystems 
in the remainder of this section. 

Theorem 2 Ordered satisfiability for the I froo intruder system is decidable. 

Proof. X free intruder theory is the disjoint union of X AU , X g and I f intruder 
theories. The reachability problems of the three preceding theories are decidable 
(Theorem 2] and Theorem [3]). The result obtained in [3] prove that the disjoint 
union of decidable intruder theories is also decidable. Thus T tree is decidable. □ 

Decidability of reachability for the I s -intruder. In this subsection, we consider 
an I g intruder system with I s = (g, g(xi, X2, x[, x' 2 ), 0). This intruder has at its 
disposal all ground instances of the following deduction rule: 

Theorem 3 Ordered satisfiability for X E intruder is decidable. 

Proof. Let C be an X g deterministic constraint system. Since X g intruder the- 
ory verifies the convergent public-collapsing property of [7], <S contains finite 
equations and C contains a finite number of intruder constraints Ei > Vi and it 
is well-formed, we have ordered satisfiability problem for X g is decidable by the 
theorem 1 of [7j- □ 

Decidability of reachability for the X AV intruder. We now give a proof sketch for 
the decidability of ordered satisfiability for the Xau intruder. 

Theorem 4 Ordered satisfiability for the X AV intruder system is decidable. 
Proof. The algorithm proceeds as follows: 



— Transform the deduction constraints E > v into an ordering constraint <Q; 

dcf 

— Check that < = <Q U <i is still a partial order on atoms of C; 

— Solve the unification problems with linear constant restriction <. 

Let C = {{Ei t> Vi) Q<i<n , S) be a deterministic constraint system for the Tau 
intruder, <i be a (partial) order on Cons(C) U Var(C), and let a be a solution of 
the (C, <i) ordered satisfiability problem. 

Given a set of terms E C T(JT AU ,A'), let us denote Kc = (Cons(C) \ 
lctters(i?)) \ X. In plain words, Kc{E) is the set of constants in C not occurring 
in E. We are now ready to define <d as a partial order on Cons(C)U{ , i;o, . . . , v n }: 
We set «j <d c for all constants c in Kc 

Claim. For all cr, we have cr ^= (C, <i) if, and only if, a |= (5, <i U <d) 



Proof of the CLAIM. Let us first prove the direct implication. Let cr be a 
ground solution of the (C, <i) ordered satisfiability problem. By definition we 
have that a is a solution of (5, <i) ordered unifiability problem. Since for all 
< i < n we have a \= Eit>Vi, we easily see that letters((uitr)|) C Cons(Ei), and 
therefore letters((«jcr)l) C\Kc(Ei) = 0. Thus a is also a solution of (S, <d U <i). 
Conversely, assume now that a is a ground solution of (S, <d U <,). By definition 
for all < i < n we have letters((i;jCT)J.)nKc(£ l i) = 0, and thus letters((ficr)|) C 
letters (Sj) \ X. Thus we have (fjcr)j e (Ei<r)l for all < i < n, and thus 
a\=(C,<i) 

Since unifiability with linear constant restriction is decidable for the AU 
equational theory [20], this finishes the proof of the theorem. Note that the 
exact complexity is not known, but the problem is NP-hard and solvable in 
PSPACE QUIZ], and it is conjectured to be in NP [18TT3] . □ 

6 Conclusion 

We have presented here a novel decision procedure for the search for attacks 
on protocols employing hash functions subject to collision attacks. Since this 
procedure is of practical interest for the analysis of the already normalised pro- 
tocols relying on these weak functions, we plan to implement it into an already 
existing tool, CL-Atse j!4) . Alternatively an implementation may be done in 
OFMC pP, though the support of associative operators is still partial. In order 
to model hash functions we have introduced new symbols to denote the ability 
to create messages with the same hash value. This introduction amounts to the 
skolemisation of the equational property describing the existence of collisions. 
We believe that this construction can be extended to model the more complex 
and game-based properties that appear when relating a symbolic and a concrete 
model of cryptographic primitives. 
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